support@gracethemes.com

The Ultimate WordPress Security Guide (Step by Step)

Are you sure your site is not prone to any vulnerabilities? If there are advantages of going online then disadvantages make their way also unless you are properly secured. Owing a website doesn’t suffice itself but you need to be extra careful for any kind of security breaches or malicious attacks. Though WordPress offers world class robust, secure and flexible platform but a little attention to certain DIY can make your site breach proof and 100% secure to any hacking. Yes!! You guessed it right here this blog is all about how you can secure your WordPress website.

How can a security breach happen?

If you miss on any of the following, you are on target list of hackers.

  • Missing on a firewall or security plugins
  • Made some really important changes in the WordPress core code.
  • Haven’t installed any plugin or theme from official site, may end up downloading a virus.
  • Haven’t changed admin panel default username and password.
  • No passwords to FTP and Host server.
  • No anti-virus, no backup for site
  • Using outdated versions of PHP and WordPress

Why me?

This question may have hit your mind many times. Thinking that, yours is a less popular or small website so no will attack is very wrong. Rather Hacker’s bots keep on searching for some good websites which they can hack. Here the hackers, target your site and plan a man-in-the-middle attack. Your website acts as a middle man between two illegal mediums. This not only tarnishes your brand but can severely damage your business. This is one of the examples I have quoted here. You may become a victim of DOS (Denial of service) or DDOS attacks and not to forget the Brute force and SQL injection attacks. I am listing out some key steps so that you can secure your site resulting in a safe and healthy site.

Steps

These are just the basic steps which you can configure yourself pretty comfortably. These DIY don’t require any kind of technical knowledge and can be done easily.

  • 1. Strong passwords: Change your admin panel name and password as soon as you install it. Make sure you change the default passwords for database, hosting server, admin panel, FTP accounts and connected mail accounts. Make them very strong by using alphanumeric keys in them. Also, keep different passwords for different accounts. Don’t reuse them or repeat them.
  1. Strong passwords: Change your admin panel name and password as soon as you install it. Make sure you change the default passwords for database, hosting server, admin panel, FTP accounts and connected mail accounts. Make them very strong by using alphanumeric keys in them. Also, keep different passwords for different accounts. Don’t reuse them or repeat them.
  2. Updated versions: Make sure you have the latest and updated version of WordPress, themes and plugins as well. Little changes are updated automatically but some need manual updating. Remove any plugin which you are not using or which are outdated. Just delete them. Also, look for the version of PHP you are using. It should also get updated along with your WordPress framework. One important thing to be kept in mind is that you should always update from a trusted and official site only.
  3. Strong Hosting server: Make sure that the hosting server you choose offers you complete security. It may happen that on a shared hosting there is potentially a risk factor involving cross site interference. Prefer the ones offering backups and automatic WordPress updates.
  4. Changing the code base: Don’t ever make any changes in the coding area of WordPress (even by a professional) as it will render your site to security breaches. You will not be able to update it automatically. The same hold true for plugins as well as themes.
  5. Download from trusted sites: Always download from trusted and official sites. As you will get efficiently coded and most authentic plugins, scripts or themes. Downloading from non trusted sites may affect the quality of your website and may also open some security loops for hackers.
  6. Making site more secure: Implement HTTPS for your site. Also use FTPS or SSH protocol for your site. This will help in encrypting of data while transmission. An unencrypted data in form of passwords or credit cards may be harmful for your site especially if it is a shopping website.
  7. Using Backup Plugins: It is indeed very essential to have a backup of your site. There are many plugins available on WordPress.com. Choose a best from them and maintain a regular backup of your site. In case, your site is hacked and gets crashed, atleast you will be having the backup to quickly restore your data.
  8. Security plugin: WordPress.com has many security plugins for your help. You should certainly have one on your site to make your site more secure.
  9. 2FA Authentication: Rather than using a normal password to login to the admin panel, use a two factor authentication. Here along with password you also need to provide an OTP (one time password) or any time frame token, which expires after that. That token or OTP will be send to your personal mobile number or your mail-id to make the login process more secure.
  10. Limit to Login attempts: Bots by hackers may apply a Brute force technique or Dictionary attacks to login to your site. You can control them either by 2FA authentication or just put a limit to login attempts.
  11. Permissions: Don’t give the authority of your WordPress site to anyone. You may never know that a hacker is just sitting nearby. In case you have given, change it the very next moment after the work is completed. Secondly make sure that all the files are CHMODed to 644 and 755 to folders. Don’t give write permissions to file in any case.
  12. Preventing SQL injection attacks: Your database is also not safe indeed. Put a strong username and password to your database. Also change the table prefix also (which is wp_ by default).
  13. Adding Authentication keys: Add a set of authentication keys to your config.php file so as to make your website stronger against Brute Force attacks to crack password. These keys will encrypt and then store your password in the database making them further stronger.
  14. Disabling PHP execution: Edit your .htaccess to disable any kind of PHP code execution in the directory. wp-includes and uploads are more prone to these types of attacks.
  15. Enabling Firewall: Use a Firewall to protect your site from malicious attacks. It filters out all the suspicious traffic before reaching you making your site more healthy and safe.

I have covered almost all aspects of securing your WordPress site which can be done by you. If in case, everything fails then hire a professional to fix it up for you. Just follow these simple steps and believe me that your site will have a great future. Good Luck!!